What "HIPAA compliant" actually means — and doesn't
"HIPAA compliant" is a sentence. It's not a program, a certification, or a legal protection for your practice.
Any vendor can put "HIPAA compliant" on their website. There's no governing body that certifies it, no audit trail behind the phrase, and no accountability attached to it. What the phrase means, in practice, is that the vendor has some policies in place and believes they meet HIPAA's requirements.
That's genuinely different from a signed BAA.
A Business Associate Agreement is a contract. It does several specific things that "HIPAA compliant" does not:
1. It names the vendor as a Business Associate under HIPAA. This is the legal designation that brings them under the law's requirements. A vendor handling PHI without this designation isn't just at risk — your practice is at risk, because you created a relationship without the required safeguards.
2. It defines what the vendor can and cannot do with PHI. A good BAA specifies how they may use protected health information, who within their organization may access it, how they'll handle a breach, and what happens to PHI when the relationship ends.
3. It creates shared accountability for a breach. If patient data is exposed, the BAA determines who notifies whom, on what timeline, and under what standard. Without it, your practice holds the liability alone — including for a vendor's failure.
4. It establishes a breach notification obligation. Under HIPAA's Breach Notification Rule, your Business Associate is required to notify you of a breach within 60 days. That obligation only exists if there's a signed BAA in place. Without one, you may not learn about an exposure until it surfaces somewhere else.
---
This is where the gap is most common.
Medical practices spend real time vetting their EHR vendor, their billing service, their lab partners. A BAA is standard in those relationships. But the answering service — the vendor handling patient calls every night, every weekend, every holiday — sometimes gets onboarded because someone handed the office manager a brochure at a conference, or because the previous answering service retired and this one offered the fastest setup.
The patient calls going through that service contain PHI. A patient calling after hours to describe symptoms, request a prescription refill, or report a concerning side effect is generating protected health information. The operator taking that call, documenting it, and routing the message to the on-call physician is handling PHI on your behalf.
That's the definition of a Business Associate.
If there's no signed BAA, you have an unmanaged Business Associate relationship. In HIPAA terms, that's a compliance gap — one that OCR (the HHS Office for Civil Rights) has assessed penalties for in enforcement actions.
---
The answering service industry is changing. AI-powered voice services are entering the medical market with pricing that undercuts traditional operators. Several are marketing themselves as "HIPAA compliant" because they have a model agreement they'll sign.
A few things worth knowing before you take that at face value:
The audio/voice layer is still a gap in AI BAA coverage. As of mid-2026, at least one major AI platform provider — whose API powers several AI receptionist products — does not extend BAA coverage to audio and voice data. The BAA covers text; the call audio may not be covered. This is a documented gap in published vendor terms, not speculation. Ask any AI answering vendor specifically: "Does your BAA cover audio recordings and voice data?"
"Signs a BAA" and "has a compliant BAA" are different things. A BAA that permits overly broad secondary uses of PHI, lacks breach notification timelines, or doesn't specify data destruction procedures at contract end is a weaker document than it appears. The existence of a signature matters; so does what the agreement actually says.
Human operators with a properly executed BAA remain the cleaner compliance path for voice. This isn't an argument against AI generally. It's a statement about where the documentation standard is today. The legal and compliance infrastructure around AI voice is still being built.
---
If you're evaluating a new answering service, or auditing your current one, these are the questions that matter:
---
A signed BAA is the floor, not the ceiling. It's the minimum that makes a Business Associate relationship legal. Above the floor, there's a range — BAAs that are thorough and operationally backed, and BAAs that are technically present but functionally thin.
For a medical practice, the decision about who answers your phones is not just an operational choice. It's a compliance decision. The answering service handles after-hours patient calls, urgent medication requests, the 2 a.m. call from the patient who doesn't know if what they're experiencing is serious.
That vendor should be able to hand you a BAA before you finish the onboarding call. They should know their breach notification timeline. They should be able to explain, specifically, what their operators are trained to handle and what they escalate.
A Message Center has been handling medical practice calls since before HIPAA existed. We're a US-based, Service-Disabled Veteran-Owned Small Business — and our BAA is available for review before you sign anything. Our operators are trained on medical call handling, triage protocols, and on-call dispatch.
If you want to review our BAA or talk through your current setup, reach out. No pressure — just a real conversation about whether your after-hours coverage is doing what you need it to do.
Contact Us or call (800) 248-2255.